1

Quite some years ago, I setup a vsftpd server with virtual users, according to some howtos (still) to be found on the internet, using pam_userdb.

Like this: A file called /etc/pam.d/vsftpd.virtual:

#%PAM-1.0 auth required pam_userdb.so db=/etc/vsftpd/users crypt=crypt account required pam_userdb.so db=/etc/vsftpd/users crypt=crypt session required pam_loginuid.so

A setting inside /etc/vsftpd/vsftpd.conf:

pam_service_name=vsftpd.virtual

And a BerkeleyDB containing the user and password hashes (/etc/vsftpd/users.db).

According to the manpage of pam_userdb, this module only supports clear-text passwords or crypted ones, always in a BerkeleyDB.

Meanwhile, this approach seems both dated and impractical to me, as plain crypted passwords are insecure (not even speaking of the clear text variant), and the handling of a BerkeleyDB containing them makes using some wrapper necessary.

So: Is there some alternative PAM module that e.g. can handle a plain text file with users and bcrypted passwords? Or at least with passwords using some SHA hash? That can be updated using e.g. htpasswd (or mkpasswd)? Something like a Dovecot users file, or an htaccess file for use with e.g. Lighttpd?

Something like

some_user:$2y$05$ensqtXGZXUf5DQosKk51.utplrWUqkeZzNNI8.lCVT.K86uillL4a

? I suppose some other PAM module could be used by vsftpd in the same way? Thanks for all help!

Improve this question
2
  • 2
    FTP is at least as dated as pam_userdb... Commented Dec 8, 2021 at 8:57
  • 2
    Which does not really answer the question very well. Commented Dec 8, 2021 at 12:51

2 Answers 2

Reset to default
1

Is there some alternative PAM module that e.g. can handle a plain text file with users and bcrypted passwords? Or at least with passwords using some SHA hash? That can be updated using e.g. htpasswd (or mkpasswd)?

libpam-pwdfile seems to be what you are looking for.

From the README:

The password file basically looks like passwd(5): one line for each user with two or more colon-separated fields. First field contains the username, the second the crypt()ed password. Other fields are optional.

crypt()ed passwords in various formats can be generated with mkpasswd from the whois package.

Improve this answer
4
  • This looks very promising! Thanks, I'll have a look at that. Commented May 16, 2024 at 8:24
  • It looks like that project was abandoned over a decade ago. Commented Sep 25 at 7:17
  • @Thayne If you are still using FTP, does that really matter to you? :-) Time to migrate to sftp. Commented Sep 25 at 12:11
  • My use case is for something else, where I want PAM to use an alternative password file from /etc/passwd (and /etc/shadow) for certain commands. Commented Sep 25 at 17:24
1

Arch Linux has a very good guide on setting this up:

/etc/pam.d/vsftpd:

auth required pam_pwdfile.so pwdfile /etc/vsftpd/.passwd account required pam_permit.so

more details on Arch Linux wiki

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.